@openneuro/server 4.20.4 → 4.20.6-alpha.2

package/src/graphql/__tests__/{comment.spec.js → comment.spec.ts}

@@ -1,48 +1,48 @@
-import { vi } from 'vitest'
-import { connect } from 'mongoose'
-import { deleteComment, flatten } from '../resolvers/comment'
-import Comment from '../../models/comment'
+import { vi } from "vitest"
+import { connect } from "mongoose"
+import { deleteComment, flatten } from "../resolvers/comment"
+import Comment from "../../models/comment"
 
-vi.mock('ioredis')
+vi.mock("ioredis")
 
-describe('comment resolver helpers', () => {
-  describe('deleteComment', () => {
+describe("comment resolver helpers", () => {
+  describe("deleteComment", () => {
     let aId
     const adminUser = {
-      user: '1234',
+      user: "1234",
       userInfo: { admin: true },
     }
     const nonAdminUser = {
-      user: '5678',
+      user: "5678",
       userInfo: { admin: false },
     }
     beforeAll(async () => {
       await connect(globalThis.__MONGO_URI__)
       const comment = new Comment({
-        text: 'a',
+        text: "a",
         createDate: new Date().toISOString(),
-        user: { id: '5678' },
+        user: { id: "5678" },
       })
       await comment.save()
       aId = comment.id
     })
 
-    it('returns an array of the deleted comment ids', async () => {
+    it("returns an array of the deleted comment ids", async () => {
       const deletedIds = (
         await deleteComment({}, { commentId: aId }, adminUser)
-      ).map(id => id.toString())
+      ).map((id) => id.toString())
       expect(deletedIds[0]).toEqual(aId)
     })
 
-    it('prevents non-admin users from deleting comments', () => {
+    it("prevents non-admin users from deleting comments", () => {
       return expect(
         deleteComment({}, { commentId: aId }, nonAdminUser),
-      ).rejects.toMatch('You do not have admin access to this dataset.')
+      ).rejects.toMatch("You do not have admin access to this dataset.")
     })
   })
 
-  describe('flatten', () => {
-    it('unrolls an array', () => {
+  describe("flatten", () => {
+    it("unrolls an array", () => {
       const arrarr = [
         [1, 2, 3],
         [4, 5],

package/src/graphql/__tests__/permissions.spec.ts

@@ -0,0 +1,113 @@
+import { vi } from "vitest"
+import {
+  checkDatasetAdmin,
+  checkDatasetWrite,
+  checkPermissionLevel,
+  datasetReadQuery,
+  states,
+} from "../permissions"
+
+vi.mock("ioredis")
+
+describe("resolver permissions helpers", () => {
+  describe("datasetReadQuery()", () => {
+    it("returns public for anonymous users", () => {
+      expect(datasetReadQuery("ds000001", null, null)).toHaveProperty(
+        "public",
+        true,
+      )
+    })
+    it("returns non-public for admins", () => {
+      expect(
+        datasetReadQuery("ds000001", "1234", { admin: true }),
+      ).not.toHaveProperty("public", true)
+    })
+    it("returns public for logged in users", () => {
+      expect(
+        datasetReadQuery("ds000001", "1234", { admin: false }),
+      ).toHaveProperty("public", true)
+    })
+  })
+  describe("checkPermissionLevel(..., READ)", () => {
+    it("returns false if no permission passed in", () => {
+      expect(checkPermissionLevel(null, states.READ)).toBe(false)
+    })
+    it("returns true for valid read access level", () => {
+      expect(checkPermissionLevel({ level: "admin" }, states.READ)).toBe(true)
+      expect(checkPermissionLevel({ level: "ro" }, states.READ)).toBe(true)
+    })
+    it("returns false if an unexpected level is present", () => {
+      expect(checkPermissionLevel({ level: "not-real" }, states.READ)).toBe(
+        false,
+      )
+    })
+  })
+  describe("checkPermissionLevel(..., WRITE)", () => {
+    it("returns false if no permission passed in", () => {
+      expect(checkPermissionLevel(null, states.WRITE)).toBe(false)
+    })
+    it("returns true for admin", () => {
+      expect(checkPermissionLevel({ level: "admin" }, states.WRITE)).toBe(true)
+    })
+    it("returns false for read only access", () => {
+      expect(checkPermissionLevel({ level: "ro" }, states.WRITE)).toBe(false)
+    })
+    it("returns false if an unexpected level is present", () => {
+      expect(checkPermissionLevel({ level: "not-real" }, states.WRITE)).toBe(
+        false,
+      )
+    })
+  })
+  describe("checkDatasetWrite()", () => {
+    it("resolves to false for anonymous users", () => {
+      return expect(
+        checkDatasetWrite("ds000001", null, null, undefined, {
+          checkExists: false,
+        }),
+      ).rejects.toThrowErrorMatchingSnapshot()
+    })
+    it("resolves to true for admins", () => {
+      return expect(
+        checkDatasetWrite("ds000001", "1234", { admin: true }, undefined, {
+          checkExists: false,
+        }),
+      ).resolves.toBe(true)
+    })
+  })
+  describe("checkPermissionLevel(..., ADMIN)", () => {
+    it("returns false if no permission passed in", () => {
+      expect(checkPermissionLevel(null, states.ADMIN)).toBe(false)
+    })
+    it("returns true for admin", () => {
+      expect(checkPermissionLevel({ level: "admin" }, states.ADMIN)).toBe(true)
+    })
+    it("returns false for read write access", () => {
+      expect(checkPermissionLevel({ level: "rw" }, states.ADMIN)).toBe(false)
+    })
+    it("returns false for read only access", () => {
+      expect(checkPermissionLevel({ level: "ro" }, states.ADMIN)).toBe(false)
+    })
+    it("returns false if an unexpected level is present", () => {
+      expect(checkPermissionLevel({ level: "not-real" }, states.ADMIN)).toBe(
+        false,
+      )
+    })
+  })
+  describe("checkDatasetAdmin()", () => {
+    it("resolves to false for anonymous users", () => {
+      return expect(
+        checkDatasetAdmin("ds000001", null, null, { checkExists: false }),
+      ).rejects.toThrowErrorMatchingSnapshot()
+    })
+    it("resolves to true for admins", () => {
+      return expect(
+        checkDatasetAdmin(
+          "ds000001",
+          "1234",
+          { admin: true },
+          { checkExists: false },
+        ),
+      ).resolves.toBe(true)
+    })
+  })
+})

package/src/graphql/{permissions.js → permissions.ts}

@@ -1,23 +1,23 @@
-import config from '../config.js'
-import { GraphQLError } from 'graphql'
-import Permission from '../models/permission'
-import Dataset from '../models/dataset'
-import Deletion from '../models/deletion'
+import config from "../config"
+import { GraphQLError } from "graphql"
+import Permission from "../models/permission"
+import Dataset from "../models/dataset"
+import Deletion from "../models/deletion"
 
 // Definitions for permission levels allowed
 // Admin is write + manage user permissions
 export const states = {
   READ: {
-    errorMessage: 'You do not have access to read this dataset.',
-    allowed: ['ro', 'rw', 'admin'],
+    errorMessage: "You do not have access to read this dataset.",
+    allowed: ["ro", "rw", "admin"],
   },
   WRITE: {
-    errorMessage: 'You do not have access to modify this dataset.',
-    allowed: ['rw', 'admin'],
+    errorMessage: "You do not have access to modify this dataset.",
+    allowed: ["rw", "admin"],
   },
   ADMIN: {
-    errorMessage: 'You do not have admin access to this dataset.',
-    allowed: ['admin'],
+    errorMessage: "You do not have admin access to this dataset.",
+    allowed: ["admin"],
   },
 }
 
@@ -62,10 +62,10 @@ export class DeletedDatasetError extends GraphQLError {
         const url = new URL(redirect)
         if (
           url.hostname === canonical.hostname &&
-          url.pathname.startsWith('/datasets')
+          url.pathname.startsWith("/datasets")
         ) {
           // Only return a relative path to avoid cross site risks
-          extensions = { code: 'DELETED_DATASET', redirect: url.pathname }
+          extensions = { code: "DELETED_DATASET", redirect: url.pathname }
         }
       } catch (err) {
         // Do nothing
@@ -77,7 +77,7 @@ export class DeletedDatasetError extends GraphQLError {
   }
 }
 
-export const checkDatasetExists = async datasetId => {
+export const checkDatasetExists = async (datasetId) => {
   const deleted = await Deletion.findOne({ datasetId }).exec()
   if (deleted) {
     throw new DeletedDatasetError(datasetId, deleted.reason, deleted.redirect)

package/src/graphql/resolvers/__tests__/brainlife.spec.ts

@@ -1,20 +1,20 @@
-import { vi } from 'vitest'
-import { HasId } from '../../../utils/datasetOrSnapshot'
-import { brainlifeQuery } from '../brainlife'
+import { vi } from "vitest"
+import { HasId } from "../../../utils/datasetOrSnapshot"
+import { brainlifeQuery } from "../brainlife"
 
-vi.mock('ioredis')
+vi.mock("ioredis")
 
-describe('brainlife resolvers', () => {
-  it('correctly queries drafts', () => {
-    expect(brainlifeQuery({ id: 'ds000001' } as HasId).toString()).toEqual(
-      'https://brainlife.io/api/warehouse/datalad/datasets?find=%7B%22removed%22%3Afalse%2C%22path%22%3A%7B%22%24regex%22%3A%22%5EOpenNeuro%2Fds000001%22%7D%7D',
+describe("brainlife resolvers", () => {
+  it("correctly queries drafts", () => {
+    expect(brainlifeQuery({ id: "ds000001" } as HasId).toString()).toEqual(
+      "https://brainlife.io/api/warehouse/datalad/datasets?find=%7B%22removed%22%3Afalse%2C%22path%22%3A%7B%22%24regex%22%3A%22%5EOpenNeuro%2Fds000001%22%7D%7D",
     )
   })
-  it('correctly queries versioned datasets', () => {
+  it("correctly queries versioned datasets", () => {
     expect(
-      brainlifeQuery({ id: 'ds000001:1.0.0', tag: '1.0.0' }).toString(),
+      brainlifeQuery({ id: "ds000001:1.0.0", tag: "1.0.0" }).toString(),
     ).toEqual(
-      'https://brainlife.io/api/warehouse/datalad/datasets?find=%7B%22removed%22%3Afalse%2C%22path%22%3A%7B%22%24regex%22%3A%22%5EOpenNeuro%2Fds000001%22%7D%2C%22version%22%3A%221.0.0%22%7D',
+      "https://brainlife.io/api/warehouse/datalad/datasets?find=%7B%22removed%22%3Afalse%2C%22path%22%3A%7B%22%24regex%22%3A%22%5EOpenNeuro%2Fds000001%22%7D%2C%22version%22%3A%221.0.0%22%7D",
     )
   })
 })

package/src/graphql/resolvers/__tests__/{dataset-search.spec.js → dataset-search.spec.ts}

@@ -1,31 +1,32 @@
+import { vi } from "vitest"
 import {
-  encodeCursor,
   decodeCursor,
   elasticRelayConnection,
-} from '../dataset-search'
+  encodeCursor,
+} from "../dataset-search"
 
-vi.mock('ioredis')
-vi.mock('../../../elasticsearch/elastic-client.js')
-vi.mock('../../../config.js')
+vi.mock("ioredis")
+vi.mock("../../../elasticsearch/elastic-client.ts")
+vi.mock("../../../config.ts")
 
-describe('dataset search resolvers', () => {
-  describe('encodeCursor()', () => {
-    it('returns an encoded string', () => {
-      expect(encodeCursor([2.513, 'ds00005'])).toEqual(
-        'WzIuNTEzLCJkczAwMDA1Il0=',
+describe("dataset search resolvers", () => {
+  describe("encodeCursor()", () => {
+    it("returns an encoded string", () => {
+      expect(encodeCursor([2.513, "ds00005"])).toEqual(
+        "WzIuNTEzLCJkczAwMDA1Il0=",
       )
     })
   })
-  describe('decodeCursor()', () => {
-    it('returns a decoded array', () => {
-      expect(decodeCursor('WzIuNTEzLCJkczAwMDA1Il0=')).toEqual([
+  describe("decodeCursor()", () => {
+    it("returns a decoded array", () => {
+      expect(decodeCursor("WzIuNTEzLCJkczAwMDA1Il0=")).toEqual([
         2.513,
-        'ds00005',
+        "ds00005",
       ])
     })
   })
-  describe('elasticRelayConnection()', () => {
-    it('returns a relay cursor for empty ApiResponse', async () => {
+  describe("elasticRelayConnection()", () => {
+    it("returns a relay cursor for empty ApiResponse", async () => {
       const emptyApiResponse = {
         body: {
           hits: {
@@ -46,13 +47,14 @@ describe('dataset search resolvers', () => {
           hasPreviousPage: false,
         },
       }
+      // @ts-expect-error Mock version does not use all arguments
       const connection = await elasticRelayConnection(emptyApiResponse, {
         dataset: vi.fn(),
       })
       expect(connection).toMatchObject(nullRelayConnection)
     })
 
-    it('returns a relay cursor for ApiResponse with results', () => {
+    it("returns a relay cursor for ApiResponse with results", () => {
       const mockResolvers = {
         dataset: vi.fn(),
       }
@@ -61,9 +63,9 @@ describe('dataset search resolvers', () => {
         body: {
           hits: {
             hits: [
-              { _source: { id: 'testdataset1' } },
-              { _source: { id: 'testdataset2' } },
-              { _source: { id: 'testdataset3' }, sort: [1] },
+              { _source: { id: "testdataset1" } },
+              { _source: { id: "testdataset2" } },
+              { _source: { id: "testdataset3" }, sort: [1] },
             ],
             total: { value: 10 },
           },
@@ -71,7 +73,7 @@ describe('dataset search resolvers', () => {
       }
 
       const resultsRelayConnection = {
-        edges: expectedApiResponse.body.hits.hits.map(hit => {
+        edges: expectedApiResponse.body.hits.hits.map((hit) => {
           // This skips the dataset resolver logic and passes this back
           mockResolvers.dataset.mockReturnValueOnce(hit._source)
           return {
@@ -81,7 +83,7 @@ describe('dataset search resolvers', () => {
         }),
         pageInfo: {
           count: 10,
-          endCursor: 'WzFd',
+          endCursor: "WzFd",
           hasNextPage: true,
           startCursor: null,
           hasPreviousPage: false,
@@ -89,7 +91,7 @@ describe('dataset search resolvers', () => {
       }
       const connection = elasticRelayConnection(
         expectedApiResponse,
-        'test',
+        "test",
         3,
         mockResolvers,
       )

package/src/graphql/resolvers/__tests__/dataset.spec.ts

@@ -0,0 +1,175 @@
+import { vi } from "vitest"
+import { connect } from "mongoose"
+import request from "superagent"
+import * as ds from "../dataset"
+
+vi.mock("superagent")
+vi.mock("ioredis")
+vi.mock("../../../config.ts")
+vi.mock("../../../libs/notifications.ts")
+
+describe("dataset resolvers", () => {
+  beforeAll(() => {
+    connect(globalThis.__MONGO_URI__)
+  })
+  describe("createDataset()", () => {
+    it("createDataset mutation succeeds", async () => {
+      const { id: dsId } = await ds.createDataset(
+        null,
+        { affirmedDefaced: true, affirmedConsent: false },
+        { user: "123456", userInfo: {} },
+      )
+      expect(dsId).toEqual(expect.stringMatching(/^ds[0-9]{6}$/))
+    })
+  })
+  describe("snapshotCreationComparison()", () => {
+    it('sorts array of objects by the "created" and "tag" properties', () => {
+      const testArray = [
+        { id: 2, created: new Date("2018-11-20T00:05:43.473Z"), tag: "1.0.0" },
+        { id: 1, created: new Date("2018-11-19T00:05:43.473Z"), tag: "1.0.1" },
+        { id: 3, created: new Date("2018-11-23T00:05:43.473Z"), tag: "1.0.2" },
+        { id: 5, created: new Date("2018-11-23T00:05:43.473Z"), tag: "1.0.10" },
+        { id: 4, created: new Date("2018-11-23T00:05:43.473Z"), tag: "1.0.3" },
+      ]
+      const sorted = testArray.sort(ds.snapshotCreationComparison)
+      expect(sorted[0].id).toBe(2)
+      expect(sorted[1].id).toBe(1)
+      expect(sorted[2].id).toBe(3)
+      expect(sorted[3].id).toBe(4)
+      expect(sorted[4].id).toBe(5)
+    })
+    it('sorts array of objects by the "created" property as strings', () => {
+      const testArray = [
+        { id: 2, created: "2018-11-20T00:05:43.473Z", tag: "2.0.0" },
+        { id: 1, created: "2018-11-19T00:05:43.473Z", tag: "1.0.0" },
+        { id: 3, created: "2018-11-23T00:05:43.473Z", tag: "3.0.0" },
+      ]
+      const sorted = testArray.sort(ds.snapshotCreationComparison)
+      expect(sorted[0].id).toBe(1)
+      expect(sorted[1].id).toBe(2)
+      expect(sorted[2].id).toBe(3)
+    })
+    it("sorts non-semver tags mixed with semver tags", () => {
+      const testArray = [
+        { id: 2, created: new Date("2018-11-19T00:05:43.473Z"), tag: "1.0.2" },
+        {
+          id: 1,
+          created: new Date("2018-11-19T00:05:43.473Z"),
+          tag: "57fed018cce88d000ac1757f",
+        },
+        { id: 3, created: new Date("2018-11-19T00:05:43.473Z"), tag: "1.0.1" },
+      ]
+      const sorted = testArray.sort(ds.snapshotCreationComparison)
+      expect(sorted[0].id).toBe(2)
+      expect(sorted[1].id).toBe(1)
+      expect(sorted[2].id).toBe(3)
+    })
+    it("sorts snapshots with only non-semver tags", () => {
+      const testArray = [
+        {
+          id: 2,
+          created: new Date("2018-11-19T00:05:43.473Z"),
+          tag: "00001",
+        },
+        {
+          id: 1,
+          created: new Date("2018-11-19T00:05:43.473Z"),
+          tag: "57fed018cce88d000ac1757f",
+        },
+        {
+          id: 3,
+          created: new Date("2018-11-19T00:05:43.473Z"),
+          tag: "57fed018cce88d000ac1757f",
+        },
+      ]
+      const sorted = testArray.sort(ds.snapshotCreationComparison)
+      expect(sorted[0].id).toBe(2)
+      expect(sorted[1].id).toBe(1)
+      expect(sorted[2].id).toBe(3)
+    })
+    it("sorts very similar creation times by semver order", () => {
+      const testSnapshots = [
+        {
+          id: "ds002680:1.0.0",
+          created: "2020-04-03T23:19:56.000Z",
+          tag: "1.0.0",
+        },
+        {
+          id: "ds002680:1.2.0",
+          created: "2021-10-19T16:26:43.000Z",
+          tag: "1.2.0",
+        },
+        {
+          id: "ds002680:1.1.0",
+          created: "2021-10-19T16:26:44.000Z",
+          tag: "1.1.0",
+        },
+      ]
+      const sorted = testSnapshots.sort(ds.snapshotCreationComparison)
+      expect(sorted[0].id).toBe("ds002680:1.0.0")
+      expect(sorted[1].id).toBe("ds002680:1.1.0")
+      expect(sorted[2].id).toBe("ds002680:1.2.0")
+    })
+    it("sorts 000002 (legacy snapshots) before 1.0.1 (current format)", () => {
+      const testSnapshots = [
+        {
+          id: "ds000247:00002",
+          created: "2018-07-18T02:27:39.000Z",
+          tag: "00002",
+        },
+        {
+          id: "ds000247:00001",
+          created: "2018-07-18T02:35:37.000Z",
+          tag: "00001",
+        },
+        {
+          id: "ds000247:1.0.0",
+          created: "2021-07-05T15:58:18.000Z",
+          tag: "1.0.0",
+        },
+        {
+          id: "ds000247:1.0.1",
+          created: "2021-08-25T23:37:53.000Z",
+          tag: "1.0.1",
+        },
+      ]
+      const sorted = testSnapshots.sort(ds.snapshotCreationComparison)
+      expect(sorted[0].id).toBe("ds000247:00002")
+      expect(sorted[1].id).toBe("ds000247:00001")
+      expect(sorted[2].id).toBe("ds000247:1.0.0")
+      expect(sorted[3].id).toBe("ds000247:1.0.1")
+    })
+  })
+  describe("deleteFiles", () => {
+    beforeEach(() => {
+      request.post.mockClear()
+    })
+    it("makes correct delete call to datalad", () => {
+      // capture and check datalad delete request
+      request.del = (url) => ({
+        set: (header1, headerValue1) => ({
+          set: () => ({
+            send: ({ filenames }) => {
+              expect(url).toEqual("http://datalad-0/datasets/ds999999/files")
+              expect(filenames).toEqual([":sub-99"])
+              expect(header1).toEqual("Cookie")
+              expect(headerValue1).toMatch(/^accessToken=/)
+            },
+          }),
+        }),
+      })
+
+      return ds.deleteFiles(
+        null,
+        { datasetId: "ds999999", files: [{ path: "/sub-99" }] },
+        {
+          user: "a_user_id",
+          userInfo: {
+            // bypass permission checks
+            admin: true,
+          },
+        },
+      )
+    })
+  })
+})

package/src/graphql/resolvers/__tests__/derivatives.spec.ts

@@ -1,35 +1,35 @@
-import { vi } from 'vitest'
-import { githubDerivativeQuery, derivativeObject } from '../derivatives'
+import { vi } from "vitest"
+import { derivativeObject, githubDerivativeQuery } from "../derivatives"
 
-vi.mock('ioredis')
+vi.mock("ioredis")
 
-describe('GraphQL derivatives', () => {
-  describe('githubDerivativeQuery()', () => {
-    it('constructs a correct URL', () => {
-      expect(githubDerivativeQuery('ds000102', 'mriqc').toString()).toEqual(
-        'https://api.github.com/repos/OpenNeuroDerivatives/ds000102-mriqc',
+describe("GraphQL derivatives", () => {
+  describe("githubDerivativeQuery()", () => {
+    it("constructs a correct URL", () => {
+      expect(githubDerivativeQuery("ds000102", "mriqc").toString()).toEqual(
+        "https://api.github.com/repos/OpenNeuroDerivatives/ds000102-mriqc",
       )
     })
   })
-  describe('derivativeObject()', () => {
-    it('returns expected values for mriqc', () => {
-      expect(derivativeObject('ds000102', 'mriqc')).toEqual({
+  describe("derivativeObject()", () => {
+    it("returns expected values for mriqc", () => {
+      expect(derivativeObject("ds000102", "mriqc")).toEqual({
         dataladUrl: new URL(
-          'https://github.com/OpenNeuroDerivatives/ds000102-mriqc.git',
+          "https://github.com/OpenNeuroDerivatives/ds000102-mriqc.git",
         ),
         local: false,
-        name: 'ds000102-mriqc',
-        s3Url: new URL('s3://openneuro-derivatives/mriqc/ds000102-mriqc'),
+        name: "ds000102-mriqc",
+        s3Url: new URL("s3://openneuro-derivatives/mriqc/ds000102-mriqc"),
       })
     })
-    it('returns expected values for fmriprep', () => {
-      expect(derivativeObject('ds000102', 'fmriprep')).toEqual({
+    it("returns expected values for fmriprep", () => {
+      expect(derivativeObject("ds000102", "fmriprep")).toEqual({
         dataladUrl: new URL(
-          'https://github.com/OpenNeuroDerivatives/ds000102-fmriprep.git',
+          "https://github.com/OpenNeuroDerivatives/ds000102-fmriprep.git",
         ),
         local: false,
-        name: 'ds000102-fmriprep',
-        s3Url: new URL('s3://openneuro-derivatives/fmriprep/ds000102-fmriprep'),
+        name: "ds000102-fmriprep",
+        s3Url: new URL("s3://openneuro-derivatives/fmriprep/ds000102-fmriprep"),
       })
     })
   })